b'                                      Executive Summary\n\n                                      Independent Evaluation of the FDIC\xe2\x80\x99s\n                                      Information Security Program\xe2\x80\x942009\n                                                                                      Report No. AUD-10-001\n                                                                                             November 2009\n\nWhy We Did The Audit\nThe Federal Information Security Management Act of 2002 (FISMA) requires federal agencies, including\nthe FDIC, to have annual independent evaluations by agency Inspectors General of their information\nsecurity program and practices and to report the results of the evaluation to the Office of Management and\nBudget (OMB). The FDIC Office of Inspector General (OIG) contracted with KPMG, LLP (KPMG) to\nperform an audit to fulfill the requirements for the 2009 independent evaluation. The objective of the\naudit was to determine the effectiveness of the FDIC\xe2\x80\x99s information security program and practices,\nincluding the FDIC\xe2\x80\x99s compliance with FISMA and related information security policies, procedures,\nstandards, and guidelines.\n\n\nBackground\nKey to achieving the FDIC\xe2\x80\x99s mission of maintaining stability and public confidence in the nation\xe2\x80\x99s\nfinancial system is safeguarding sensitive information. Ensuring the confidentiality, integrity, and\navailability of this information in an environment of increasingly sophisticated security threats requires a\nstrong, corporate-wide information security program.\n\nThe National Institute of Standards and Technology (NIST) has developed information security standards\nand guidelines, including recommended security controls, for Federal information systems and\norganizations. NIST has organized recommended security controls into families that define the security\ncontrol structure.\n\n\nAudit Results\nThe FDIC has established a corporate-wide information security program, including policies and\nprocedures, addressing the principal provisions of FISMA and the standards and guidelines of the NIST.\nThe FDIC had also implemented a number of important security control improvements following\nKPMG\xe2\x80\x99s 2008 evaluation, such as encrypting mainframe and server backup tapes, developing a multi-\nyear strategy for generating and reviewing audit logs for the FDIC\xe2\x80\x99s portfolio of information systems, and\nrestricting access to security logs from network devices. Additional control improvements were\nunderway at the close of the audit.\n\nThe above accomplishments were positive. However, KPMG identified a number of security program\ncontrol families warranting management attention. Most notably, KPMG identified access control\ndeficiencies within the FDIC\xe2\x80\x99s internal network similar to those identified in the 2008 FISMA evaluation\nthat presented a high risk of unauthorized disclosure of sensitive information or compromise of\ninformation technology resources. While the FDIC took prompt action to address the specific access\ncontrol vulnerabilities identified during the audit, priority management attention in this area continues to\nbe warranted.\n\nThe report identifies nine steps that the Corporation can take to strengthen its information security\ncontrols. These steps address such areas as: Enterprise Architecture; Risk Assessment; Planning;\nCertification, Accreditation, and Security Assessments; Physical and Environmental Protection;\nConfiguration Management; Identification and Authentication; Access Control; and Audit and\n\x0c   Executive Summary                 Independent Evaluation of the FDIC\xe2\x80\x99s Information\n                                     Security Program\xe2\x80\x942009\n                                                                                     Report No. AUD-10-001\n                                                                                            November 2009\n\nAccountability. In many cases, the FDIC was already working to improve security controls in these areas\nduring KPMG\xe2\x80\x99s audit.\n\nWe will issue our responses to specific questions raised by OMB in its August 20, 2009 memorandum,\nFY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency\nPrivacy Management through the OMB automated collection tool. Our responses to the OMB questions,\ntogether with the independent security evaluation report, satisfy our 2009 FISMA reporting requirements.\n\nBecause this report addresses sensitive issues associated with information security, we do not intend to\nmake public release of the specific contents of the report.\n\x0c'